X-Frame-Options Header

Yellowfin FAQ shared this problem 3 years ago
Resolved

I've received a finding that Yellowfin isn't using X-Frame-Options: DENY in the HTTP Headers.

Comments (1)

photo
1

Note: Please use the OWASP Secure Headers Filter instead.This can be resolved at the Tomcat level by implementing HTTP Header Security.

For Tomcat 8 (and possibly earlier)

Simply add the following to <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml inside the <web-app> tag:

  <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
  </filter>
  <init-param>
  	<param-name>antiClickJackingOption</param-name>
  	<param-value>$optionHere</param-value>
  </init-param>
  <filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Where $optionHere will signify one of: DENY, SAMEORIGIN, ALLOW-FROM. As documented in the Tomcat Configuration docs.

For Tomcat 9 (and possibly later)

It needs to be included in the web.xml file found in the /appserver/conf directory.In addition to this change, the init-param values need to be contained within the filter block itself (see the example below):

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param> 
        <async-supported>true</async-supported>
    </filter>
In addition to this, you would need to include the httpHeaderSecurity filter in the same file (example of the filter below):
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
Giving you a full block like this:


As always, if still facing issues, please let us know and we will provide further guidance.


Regards,

Yellowfin Support Team